Microsoft® Windows® Malicious Software Removal Tool removed:
TrojanDownloader:Win32/cutwail.AQ
Virus:Win32/cutwail.G
(I could only run this program in safe mode)

Restart

Ran ATF-Cleaner (Could only run in safe mode)
*Received error"Application cannot be executed. The file ATF-Cleaner.exe is infected. Do you want to activate your anti virus software now?"*

Restart

Ran MBAM.EXE. (Could only run in safe mode)
*Received error"Application cannot be executed. The file MBAM.EXE is infected. Do you want to activate your anti virus software now?"*

This is the log I did shortly after computer was infected.

Malwarebytes' Anti-Malware 1.37
Database version: 2261
Windows 5.1.2600 Service Pack 3

12/11/2009 10:31:40 AM
mbam-log-2009-12-11 (10-31-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 394178
Time elapsed: 1 hour(s), 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: izeap6.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\izeap6.dll (Trojan.Vundo.H) -> Delete on reboot.

I cannot run ESET because I cannot get on the internet with the computer.

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by MikeKafka at 9:04:04.09 on Tue 12/15/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2570 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ttool] c:\windows\srsdllpro.exe
uRun: [av_md] c:\documents and settings\mikekafka\av_md.exe
uRun: [peqqlgij] c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [sysgif32] c:\windows\temp\~TM5F.tmp
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [peqqlgij] c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [<NO NAME>] c:\documents and settings\networkservice\.exe /i
StartupFolder: c:\docume~1\mikeka~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks2007\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123169160567
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147888441115
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.5.10 kmcfs1.com

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-28 2477304]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\solidworks2007\cosmosfloworks\floworks\bincfw\StandAloneSlv.exe [2008-1-23 245760]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-21 24652]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-28 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-3 102448]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-11 40160]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVENG.SYS [2009-11-25 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVEX15.SYS [2009-11-25 1323568]

=============== Created Last 30 ================

2009-12-15 13:43:24 0 ----a-w- c:\documents and settings\mikekafka\mikekafka.exe
2009-12-14 13:53:06 0 d-----w- C:\69b7e6b16957ee122e89
2009-12-14 13:53:04 0 d-----w- C:\92546d5f3d170e73ec0bf0
2009-12-14 13:52:57 0 d-----w- C:\91cdd5b4f92a414575b8
2009-12-14 13:52:54 0 d-----w- C:\24c80100adea7db056daa981c8
2009-12-11 00:12:48 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-11 00:11:59 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2009-12-11 00:11:56 66048 ----a-w- c:\windows\srsdllpro.exe
2009-12-11 00:11:48 4 ----a-w- c:\docume~1\mikeka~1\applic~1\avdrn.dat
2009-11-18 02:10:58 0 d-----w- c:\docume~1\mikeka~1\applic~1\DassaultSystemes

==================== Find3M ====================

2009-12-11 00:12:48 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-28 17:54:39 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-28 17:54:39 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-28 17:54:39 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-28 17:54:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-28 17:44:52 9892 ----a-w- c:\windows\system32\drivers\SymRedir.cat
2009-10-28 17:44:52 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2009-10-28 17:44:52 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2009-10-28 17:44:52 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2009-10-28 17:44:52 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2009-10-28 17:44:52 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2009-10-28 17:44:52 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2009-10-28 17:44:52 1356 ----a-w- c:\windows\system32\drivers\SymRedir.inf
2009-10-28 17:44:52 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2009-10-28 17:44:50 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2009-10-28 17:44:50 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2009-10-28 17:44:50 10537 ----a-w- c:\windows\system32\drivers\coh_mon.cat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-16 00:07:20 262144 ----a-w- C:\ntuser.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll

============= FINISH: 9:04:17.82 ===============


Attach.txt is attached.

Please help!

ESET Scan -- safe mode only -- I can't get on the internet in normal mode.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=45aa0fef9fb508458ce485722538cc53
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-15 07:34:12
# local_time=2009-12-15 01:34:12 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=198120
# found=2
# cleaned=2
# scan_time=3683
C:\WINDOWS\srsdllpro.exe a variant of Win32/Kryptik.BIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\dirfut\kqnfsysguard.exe Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Hi Scott,

That looks like an extremely nasty infection with many possibly modified system files.

-- Any way to get a more current version of MBAM to run? That's an old build with ancient definitions.

-- Can you tell me what this is? Do you recognize it as business related and tailored to your user? --> mikekafka.exe
c:\documents and settings\mikekafka\mikekafka.exe

With combofix down, we'll need to try a few other things. Let me know about the above.

PP:)

That .exe I cannot get rid of. That is something bad that I cannot delete. Not sure how to get rid of it.

I followed all the steps in the sticky post and I can run fine in normal mode now with no pop-ups. So the way it goes is nothing is acting bad but I know that file is bad. How can I get rid of it? This terminal takes forever to start and shutdown. Much longer than all the others on my network. Not sure that means anything to do with this.

How can I get rid of that file? I will runn a more current MBAM with current definitions tomorrow. I ran it this morning with these dated definitions and it doesn't find anything.

Oh yeah, I do have full internet access and it is not blocking sites like it was before.

Oh yeah, I do have full internet access and it is not blocking sites like it was before.

OK - see if you can update and run MBAM and post the log for me.

Looks like a bunch of Vundo + others. You'll definitely need to get that Java updated on all vulnerable machines on the network.

Let's see what MBAM can remove and go from there.

PP:)

Fresh MBAM:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/17/2009 12:50:07 PM
mbam-log-2009-12-17 (12-50-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 348872
Time elapsed: 1 hour(s), 33 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Well . . . That still leaves a mess.

I'd like to wait until combofix is back up (non-beta) and then have a go with that.

In the meantime, you should update Adobe / Java as with previous compy and remove the old versions.
Also, remove Viewpoint, if you so desire.

-- Do you know what this is? What's in the dirfut folder?
c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe

PP:)

I am not sure what Viewpoint is used for. Can I just remove it?

I am not sure what that file and folder are. I will have to check with some of the other terminals on the network and see if I can see similar folders and files. Most of the computers were all from the same time frame and that looks like a sstem file so maybe the other will have it. You are going to have to re-instruct me as to how to use combofix when it is back up.

Let me know when we are good to go.

Thanks

I am not sure what Viewpoint is used for. Can I just remove it?

I am not sure what that file and folder are. I will have to check with some of the other terminals on the network and see if I can see similar folders and files. Most of the computers were all from the same time frame and that looks like a sstem file so maybe the other will have it. You are going to have to re-instruct me as to how to use combofix when it is back up.

Let me know when we are good to go.

Thanks

No worries - Hopefully it'll be back up for general download soon.

-- I hope you don't have a network of infected machines . . . This one is worse than the last, or close to it.

You can just uninstall Viewpoint Media Player via Add / Remove programs. Not that big a deal.

The Adobe and Java updates are much more critical for security. You probably need for all machines to help keep the Vundo away.

PP:)

Is there an easy scan for me to tell if the other 6 terminals are infected? I do run MBAM everyonce in awhile but is that going to tell me if that is infected with this? All my other machines are acting normal at this point.

Is there an easy scan for me to tell if the other 6 terminals are infected? I do run MBAM everyonce in awhile but is that going to tell me if that is infected with this? All my other machines are acting normal at this point.

MBAM is good. The Kaspersky or ESET online scans are good, too.

DDS is quick and will show many baddies.
The GMER Quick scan is good to try in conjunction with DDS. But both of these require interpretation by somebody used to reading the logs to pick out most baddies.

PP:)

ronnie2123, please start a new thread. We don't want to combine different issues on different computers within the same thread.

Well . . . That still leaves a mess.

I'd like to wait until combofix is back up (non-beta) and then have a go with that.

In the meantime, you should update Adobe / Java as with previous compy and remove the old versions.
Also, remove Viewpoint, if you so desire.

-- Do you know what this is? What's in the dirfut folder?
c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe

PP:)

The c:\windows folder you list above is nothing. More than likely something bad. That dirfut folder is also probably something bad. I could get rid of everything related to it if we wish.

I updated Adobe and Java and I will remove viewpoint. Let me know when combo fix is good to go and forward me instructions as what you would like me to do. I will update the other computers with new Java and Adobe today.

PP, is combofix back up and running?

PP, is combofix back up and running?

It seems so - let's give that a go and see what shakes out.

If you already have Combofix on your machine, DELETE it.

Here are the instructions to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (as you did on the other machine) and disable any security programs or Anti-Virus programs as per the linky before running Combofix!

Will check back as time permits.

Cheers :)
PP

Combo fix results:

ComboFix 09-12-21.07 - mikekafka 12/22/2009 8:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2483 [GMT -6:00]
Running from: c:\documents and settings\mikekafka\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001.dir.0005\~de688f.tmp
c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001.dir.0005\~df394b.tmp
c:\documents and settings\mikekafka\Application Data\avdrn.dat
c:\documents and settings\mikekafka\Application Data\EurekaLog
c:\documents and settings\mikekafka\Local Settings\Temp\SolidWorksLicTemp.0001.dir.0005\~de688f.tmp
c:\documents and settings\mikekafka\Local Settings\Temp\SolidWorksLicTemp.0001.dir.0005\~df394b.tmp
c:\documents and settings\mikekafka\mikekafka.exe
c:\documents and settings\scottklingberg\Application Data\EurekaLog
c:\documents and settings\scottklingberg\Application Data\EurekaLog\EurekaLog.ini
c:\recycler\S-1-5-21-679709237-68272196-2397749495-500
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 12:59 . 2009-03-31 00:39 -------- d-----w- c:\documents and settings\mikekafka\Application Data\Viewpoint
2009-12-21 17:49 . 2009-12-21 17:49 -------- d--h--w- c:\windows\PIF
2009-12-16 21:18 . 2009-12-16 21:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-16 14:02 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-16 14:02 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-16 14:02 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-16 14:02 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-16 14:02 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-16 14:02 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-16 14:02 . 2009-12-18 12:35 -------- d-----w- c:\windows\ie8updates
2009-12-16 14:02 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-16 14:00 . 2009-12-16 14:02 -------- dc-h--w- c:\windows\ie8
2009-12-16 13:49 . 2009-12-16 13:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 13:49 . 2009-12-16 13:49 -------- d-----w- c:\program files\Java
2009-12-16 13:34 . 2009-12-16 13:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-16 13:31 . 2009-12-16 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 18:29 . 2009-12-15 18:29 -------- d-----w- c:\program files\ESET
2009-12-14 13:53 . 2009-12-14 13:53 -------- d-----w- C:\69b7e6b16957ee122e89
2009-12-14 13:53 . 2009-12-14 13:53 -------- d-----w- C:\92546d5f3d170e73ec0bf0
2009-12-14 13:52 . 2009-12-14 13:52 -------- d-----w- C:\91cdd5b4f92a414575b8
2009-12-14 13:52 . 2009-12-14 13:52 -------- d-----w- C:\24c80100adea7db056daa981c8
2009-12-11 00:12 . 2009-12-11 00:12 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-11 00:11 . 2009-12-11 00:11 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 14:58 . 2009-04-29 14:26 -------- d-----w- c:\documents and settings\mikekafka\Application Data\IM
2009-12-22 14:45 . 2005-06-10 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-22 14:16 . 2005-08-04 17:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-22 14:14 . 2005-08-11 20:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-22 12:59 . 2005-10-12 13:13 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-21 12:33 . 2007-01-11 14:23 -------- d-----w- c:\program files\Viewpoint
2009-12-18 13:01 . 2007-01-11 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-17 12:47 . 2009-06-11 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 13:37 . 2005-08-04 17:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-15 15:27 . 2009-04-29 14:25 -------- d-----w- c:\documents and settings\mikekafka\Application Data\SolidWorks
2009-12-11 00:12 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 22:14 . 2009-06-11 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-06-11 13:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 02:10 . 2009-11-18 02:10 -------- d-----w- c:\documents and settings\mikekafka\Application Data\DassaultSystemes
2009-11-18 02:10 . 2007-01-11 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DassaultSystemes
2009-10-29 07:45 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 17:45 . 2009-10-28 17:45 89600 ----a-w- c:\windows\system32\atl71.dll
2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 00:07 . 2009-10-16 00:07 262144 ----a-w- C:\ntuser.dat
2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2008-02-29 6767896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2000-10-26 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\sampyne\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]

c:\documents and settings\tedbourbonnais\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]

c:\documents and settings\mikekafka\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-8-10 221295]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2005-8-10 6144]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 7:29 AM 29178224]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\SolidWorks2007\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [1/23/2008 5:37 PM 245760]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 08:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-12-22 09:07:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 15:07

Pre-Run: 38,730,878,976 bytes free
Post-Run: 40,098,603,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A437003D330587CA2F46DDE1024512F7

Hey PP,
As an FYI, Symantec Endpoint Protection needs to be completely removed inorder to run combofix. I tried to diable it and run it but it wouldn't so my only option was to completely remove it.

Thanks
Scott

As an FYI, Symantec Endpoint Protection needs to be completely removed inorder to run combofix. I tried to diable it and run it but it wouldn't so my only option was to completely remove it.

That's interesting - there is a command we can use to start combofix that may address this.....

Interestingly enough, I didn't see what I expected to see. So, let's try this:

First - DELETE this ---> c:\windows\system32\fjhdyfhsn.bat

Then:

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choos to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.


Let's also do a more thorough rootkit scan. Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
* When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.

-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER Two.log and save it to where you can easily find it and post it for me along with the first log.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.


I'll check back as time permits.

Hope the holidays are treating you and your new addition well :)
PP

I am running the GMER scan right now.

I am having a problem with the Kaspersky though. When it goes to run it starts Java and then it says it needs an uninterupted internet connection, which it has so I am not sure if something virus related is messing with the continuous internet connection. After the GMER Two runs I will bring the terminal home with me over the holidays and try to get it to run at home.

I completely removed Symantec from this computer so it does not have any AV running at all.

I will post the GMER logs when they are complete and I will work on the Kaspersky issue.

As always thanks for your help with this and have a good holiday!

I am running the GMER scan right now.

I am having a problem with the Kaspersky though. . . .

OK - let me know how it shakes out.

I thought the new Kaspersky scan might be easier since it runs "in browser."
If no luck there, we can try something different.

Cheers :)
PP

I tried it on my other computers and it worked just fine. This sick one is having a problem with java. I removed java and installed it again with the same results. I ran the GMER two scan and it failed the first time. The computer shut itself down after about an hour and restarted itself. I started a scan again and its been rolling for about 2.5 hours now and its still chugging along. I do have results from the GMER One scan.

GMER One

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-23 10:03:22
Windows 5.1.2600 Service Pack 3
Running: ld6felfd[1].exe; Driver: C:\DOCUME~1\MIKEKA~1\LOCALS~1\Temp\uwldrkod.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70B5] ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70BA]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70BA] ZwEnumerateValueKey [0x804D70BA]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I got about 3 hours into GMER Two and I get the blue screen error and the computer reboots itself.

Any other ideas?

Any other ideas?

Let's whack at it from a different direction:

Download RootRepeal.exe and save it on the root of C drive ---> C:\RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

-- Open RootRepeal and click the Report Tab
-- Click the Scan Button.
-- Check ALL Seven Boxes
-- Click OK.
-- Check the box for your main system drive (Usually C:\) and Click OK.
-- Allow the scan to run for as long as it takes. When it finishes, Click Save Report.
Save the log to your desktop where you can find it easily and post it for me.

--Then, please run a fresh DDS scan and post the DDS.txt. I do not need to see Attach.txt.

Cheers :)
PP

will do in the AM.

Thanks

RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/24 07:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6549000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4341000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\0b6f341f25ece7c8d1d983e4
Status: Invisible to the Windows API!

Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_e4.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\mikekafka\Desktop\Dc2.txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mikekafka\Desktop\Dc3.txt
Status: Locked to the Windows API!

Path: c:\documents and settings\mikekafka\application data\im\sldimschedulerlog_20080-40301-1100_00273.txt
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\mikekafka\application data\im\sldimschedulerlog_20080-40301-1100_00275.txt
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\mikekafka\application data\im\sldimschedulerlog_20080-40301-1100_00276.txt
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\mikekafka\application data\im\sldimschedulerlog_20080-40301-1100_00278.txt
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\mikekafka\local settings\temp\~dfab64.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\mikekafka\local settings\temp\~dfb86e.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

Path: c:\documents and settings\mikekafka\local settings\temp\~dfdb7c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\program files\microsoft sql server\mssql$sigmanest\log\log_499.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql$sigmanest\log\log_500.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql$sigmanest\log\log_503.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70a6

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70a1

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70b5

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70ba

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70c9

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70c4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70bf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0x804d70ab

==EOF==

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by MikeKafka at 7:59:10.98 on Thu 12/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2411 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks2007\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks2007\swScheduler\swBOEngine.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\DOCUME~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\RootRepeal.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\mikekafka\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mikeka~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks2007\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123169160567
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147888441115
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\solidworks2007\cosmosfloworks\floworks\bincfw\StandAloneSlv.exe [2008-1-23 245760]

=============== Created Last 30 ================

2009-12-24 13:12:57 0 ----a-w- C:\settings.dat
2009-12-24 13:12:26 472064 ----a-w- C:\RootRepeal.exe
2009-12-24 02:19:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-23 20:11:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-22 14:21:16 0 d-sha-r- C:\cmdcons
2009-12-22 14:19:22 98816 ----a-w- c:\windows\sed.exe
2009-12-22 14:19:22 77312 ----a-w- c:\windows\MBR.exe
2009-12-22 14:19:22 261632 ----a-w- c:\windows\PEV.exe
2009-12-22 14:19:22 161792 ----a-w- c:\windows\SWREG.exe
2009-12-21 17:49:02 0 d--h--w- c:\windows\PIF
2009-12-16 14:02:39 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-16 14:02:39 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-16 14:02:39 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-16 14:02:39 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-16 14:02:39 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-16 14:02:39 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-16 14:02:35 0 d-----w- c:\windows\ie8updates
2009-12-16 14:02:09 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-16 14:00:25 0 dc-h--w- c:\windows\ie8
2009-12-16 13:49:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-15 18:29:48 0 d-----w- c:\program files\ESET
2009-12-14 13:53:06 0 d-----w- C:\69b7e6b16957ee122e89
2009-12-14 13:53:04 0 d-----w- C:\92546d5f3d170e73ec0bf0
2009-12-14 13:52:57 0 d-----w- C:\91cdd5b4f92a414575b8
2009-12-14 13:52:54 0 d-----w- C:\24c80100adea7db056daa981c8
2009-12-11 00:12:48 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

==================== Find3M ====================

2009-12-11 00:12:48 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-28 17:45:20 89600 ----a-w- c:\windows\system32\atl71.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-16 00:07:20 262144 ----a-w- C:\ntuser.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

============= FINISH: 7:59:18.46 ===============

Hey Scott,

That last batch of logs looks OK.

I guess I was not seeing what I expected to see because it really wasn't there, LOL!
Sorry for making you do the extra scans.

How's the machine behaving?

PP:)

I just ran the F-Secure scan and it did pull some more stuff off but it did not clean this file:
UMANIYETASOYU.DLL

The machine seems to be running fine but I noticed that I have an icon in tray by the start button I can't seem to get rid of. Also I am not sure why I can't get teh Kaspersky scan to run. It says I need an uninterrupted connection to the internet which it has. On all my other machines it runs fine but this one it wont run. Other than those things I do not notice anything. I have no problem running what ever scan you tell me I just let the machine sit in the corner and run so if there is anything else you want me to try just let me know.

Again thanks for all your help.

Again thanks for all your help.

Happy to help :)

-- What does the tray icon look like? Do you know what it belongs to?

-- What is UMANIYETASOYU.DLL?
Can you locate it and see what it belongs to or upload it for analysis at http://virusscan.jotti.org/en
It is likely not active and fairly old to not show in any of the logs.

Not sure what the issue is with the Kaspersky scanner... Probably some sort of security or network setting.
This one's a puzzler since I cannot see anything in the logs.
What browser did you use?

PP:)

It was a quick start icon for SolidWorks. It's a cad software I use. I delete it and it just pops back up. It looks like a shortcut icon that you would have on your desktop when the link is broken. I will try the other stuff tonight.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.